Lucene search

IBM3A0360FE641A8C2E42F6EB33C41885881055587814682F047BF43113EAE37070

HistoryJun 22, 2022 - 9:45 p.m.

Security Bulletin: IBM Robotic Process Automation is vulnerable to insufficiently protected access tokens (CVE-2022-33953))

2022-06-2221:45:20

www.ibm.com

ibm

robotic process automation

vulnerable

insufficiently protected

access tokens

cve-2022-33953

security bulletin

ibm rpa

remediation

fix

cloud pak

sensitive information

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

4.6

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

19.5%

JSON

Summary

Security Bulletin: IBM Robotic Process Automation is vulnerable to insufficiently protected access tokens (CVE-2022-33953))

Vulnerability Details

CVEID:CVE-2022-33953
**DESCRIPTION:**IBM Robotic Process Automation could allow a user with psychical access to the system to obtain sensitive information due to insufficiently protected access tokens.
CVSS Base score: 4.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229198 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Robotic Process Automation as a Service	< 21.0.2.5
IBM Robotic Process Automation for Cloud Pak	< 21.0.2.5
IBM Robotic Process Automation	< 21.0.2.5

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product(s)	Version(s)	Remediation/Fix Instructions
IBM Robotic Process Automation	< 21.0.2.5	Download and Apply 21.0.2 IF005 or higher.
IBM Robotic Process Automation for Cloud Pak	< 21.0.2.5	Apply 21.0.2 IF005 or higher.
IBM Robotic Process Automation as a Service	< 21.0.2.5	No action required. IBM RPA SaaS severs have been updated to 21.0.2.5 or higher

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmrobotic_process_automationMatch21.0.1

ibmrobotic_process_automationMatch21.0.2

VendorProductVersionCPE
ibmrobotic_process_automation21.0.1cpe:2.3:a:ibm:robotic_process_automation:21.0.1:*:*:*:*:*:*:*
ibmrobotic_process_automation21.0.2cpe:2.3:a:ibm:robotic_process_automation:21.0.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	robotic_process_automation	21.0.1	cpe:2.3:a:ibm:robotic_process_automation:21.0.1:::::::*
ibm	robotic_process_automation	21.0.2	cpe:2.3:a:ibm:robotic_process_automation:21.0.2:::::::*

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

4.6

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

19.5%

JSON

Related for 3A0360FE641A8C2E42F6EB33C41885881055587814682F047BF43113EAE37070